DEV Community: SiteSecurityScore The latest articles on DEV Community by SiteSecurityScore (@sitesecurityscore). https://dev.to/sitesecurityscore https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3888925%2F53ab2cd1-d467-44d5-a60c-fdc9920c3e55.png DEV Community: SiteSecurityScore https://dev.to/sitesecurityscore en CSP for Third Party Scripts: The Practical Cheat Sheet for GA, Stripe, Intercom, and More SiteSecurityScore Mon, 20 Apr 2026 13:16:42 +0000 https://dev.to/sitesecurityscore/csp-for-third-party-scripts-the-practical-cheat-sheet-for-ga-stripe-intercom-and-more-1gh8 https://dev.to/sitesecurityscore/csp-for-third-party-scripts-the-practical-cheat-sheet-for-ga-stripe-intercom-and-more-1gh8 <p>You ship a Content Security Policy. It works locally. Then marketing adds Google Tag Manager, payments goes live with Stripe, support turns on Intercom, and suddenly the browser console is screaming about violations and half your integrations are dead.</p> <p>This is the number one reason CSP deployments fail in production. Not because the concept is hard, but because every third party service loads scripts from a different set of domains, and none of them make it easy to find.</p> <p>This post is a working cheat sheet for the most common services. The full version with every table, nonce setup, and a <code>strict-dynamic</code> deep dive lives on the main guide: <a href="https://www.sitesecurityscore.com/learning-center/how-to-add-csp-for-third-party-scripts" rel="noopener noreferrer">CSP for Third Party Scripts on SiteSecurityScore</a>.</p> <h2> Why third party scripts break CSP </h2> <p>Every script, image, iframe, font, or XHR call your page makes has to match one of your CSP directives. Third party services typically trigger violations in four ways.</p> <ol> <li>They load a script from their CDN, which needs to be in <code>script-src</code>.</li> <li>That script fetches data from an API, which needs <code>connect-src</code>.</li> <li>It loads an iframe for a widget or checkout, which needs <code>frame-src</code>.</li> <li>It pulls images, fonts, or styles from their domain, which need <code>img-src</code>, <code>font-src</code>, and <code>style-src</code>.</li> </ol> <p>Most services hit three of these four. That is why a CSP that looked clean on day one falls apart the moment someone wires up a tag manager.</p> <h2> Google Analytics 4 with GTM </h2> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">script</span>-<span class="n">src</span> <span class="n">www</span>.<span class="n">googletagmanager</span>.<span class="n">com</span> <span class="n">www</span>.<span class="n">google</span>-<span class="n">analytics</span>.<span class="n">com</span> <span class="n">connect</span>-<span class="n">src</span> <span class="n">www</span>.<span class="n">google</span>-<span class="n">analytics</span>.<span class="n">com</span> <span class="n">analytics</span>.<span class="n">google</span>.<span class="n">com</span> *.<span class="n">google</span>-<span class="n">analytics</span>.<span class="n">com</span> *.<span class="n">analytics</span>.<span class="n">google</span>.<span class="n">com</span> <span class="n">img</span>-<span class="n">src</span> <span class="n">www</span>.<span class="n">google</span>-<span class="n">analytics</span>.<span class="n">com</span> <span class="n">www</span>.<span class="n">googletagmanager</span>.<span class="n">com</span> </code></pre> </div> <p>GTM injects inline scripts for every tag it fires. Do not reach for <code>'unsafe-inline'</code>. Use a nonce on the initial GTM script and add <code>'strict-dynamic'</code> to <code>script-src</code>, and GTM can load its tags without you allowlisting every third party it chains to.</p> <h2> Facebook Pixel </h2> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">script</span>-<span class="n">src</span> <span class="n">connect</span>.<span class="n">facebook</span>.<span class="n">net</span> <span class="n">connect</span>-<span class="n">src</span> <span class="n">www</span>.<span class="n">facebook</span>.<span class="n">com</span> <span class="n">img</span>-<span class="n">src</span> <span class="n">www</span>.<span class="n">facebook</span>.<span class="n">com</span> </code></pre> </div> <h2> Hotjar </h2> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">script</span>-<span class="n">src</span> <span class="n">static</span>.<span class="n">hotjar</span>.<span class="n">com</span> <span class="n">script</span>.<span class="n">hotjar</span>.<span class="n">com</span> <span class="n">connect</span>-<span class="n">src</span> *.<span class="n">hotjar</span>.<span class="n">com</span> *.<span class="n">hotjar</span>.<span class="n">io</span> <span class="n">wss</span>://*.<span class="n">hotjar</span>.<span class="n">com</span> <span class="n">img</span>-<span class="n">src</span> *.<span class="n">hotjar</span>.<span class="n">com</span> <span class="n">font</span>-<span class="n">src</span> *.<span class="n">hotjar</span>.<span class="n">com</span> <span class="n">frame</span>-<span class="n">src</span> <span class="n">vars</span>.<span class="n">hotjar</span>.<span class="n">com</span> </code></pre> </div> <h2> Stripe </h2> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">script</span>-<span class="n">src</span> <span class="n">js</span>.<span class="n">stripe</span>.<span class="n">com</span> <span class="n">frame</span>-<span class="n">src</span> <span class="n">js</span>.<span class="n">stripe</span>.<span class="n">com</span> <span class="n">hooks</span>.<span class="n">stripe</span>.<span class="n">com</span> <span class="n">connect</span>-<span class="n">src</span> <span class="n">api</span>.<span class="n">stripe</span>.<span class="n">com</span> <span class="n">img</span>-<span class="n">src</span> *.<span class="n">stripe</span>.<span class="n">com</span> </code></pre> </div> <p>Stripe is strict. If you miss <code>hooks.stripe.com</code> in <code>frame-src</code>, 3D Secure challenges will silently fail and users will see a blank modal.</p> <h2> PayPal </h2> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">script</span>-<span class="n">src</span> <span class="n">www</span>.<span class="n">paypal</span>.<span class="n">com</span> <span class="n">www</span>.<span class="n">paypalobjects</span>.<span class="n">com</span> <span class="n">frame</span>-<span class="n">src</span> <span class="n">www</span>.<span class="n">paypal</span>.<span class="n">com</span> <span class="n">www</span>.<span class="n">sandbox</span>.<span class="n">paypal</span>.<span class="n">com</span> <span class="n">img</span>-<span class="n">src</span> <span class="n">www</span>.<span class="n">paypalobjects</span>.<span class="n">com</span> <span class="n">connect</span>-<span class="n">src</span> <span class="n">www</span>.<span class="n">paypal</span>.<span class="n">com</span> </code></pre> </div> <h2> Intercom </h2> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">script</span>-<span class="n">src</span> <span class="n">widget</span>.<span class="n">intercom</span>.<span class="n">io</span> <span class="n">js</span>.<span class="n">intercomcdn</span>.<span class="n">com</span> <span class="n">connect</span>-<span class="n">src</span> *.<span class="n">intercom</span>.<span class="n">io</span> <span class="n">wss</span>://*.<span class="n">intercom</span>.<span class="n">io</span> <span class="n">api</span>-<span class="n">iam</span>.<span class="n">intercom</span>.<span class="n">io</span> <span class="n">img</span>-<span class="n">src</span> <span class="n">static</span>.<span class="n">intercomassets</span>.<span class="n">com</span> *.<span class="n">intercomcdn</span>.<span class="n">com</span> <span class="n">frame</span>-<span class="n">src</span> <span class="n">intercom</span>-<span class="n">sheets</span>.<span class="n">com</span> <span class="n">font</span>-<span class="n">src</span> <span class="n">js</span>.<span class="n">intercomcdn</span>.<span class="n">com</span> <span class="n">media</span>-<span class="n">src</span> <span class="n">js</span>.<span class="n">intercomcdn</span>.<span class="n">com</span> </code></pre> </div> <p>Watch the WebSocket entry on <code>connect-src</code>. If you forget <code>wss://*.intercom.io</code>, the widget loads but never connects, and support thinks the chat is broken.</p> <h2> HubSpot </h2> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">script</span>-<span class="n">src</span> <span class="n">js</span>.<span class="n">hs</span>-<span class="n">scripts</span>.<span class="n">com</span> <span class="n">js</span>.<span class="n">hs</span>-<span class="n">analytics</span>.<span class="n">net</span> <span class="n">js</span>.<span class="n">hsadspixel</span>.<span class="n">net</span> <span class="n">js</span>.<span class="n">hsforms</span>.<span class="n">net</span> <span class="n">js</span>.<span class="n">hs</span>-<span class="n">banner</span>.<span class="n">com</span> <span class="n">connect</span>-<span class="n">src</span> <span class="n">api</span>.<span class="n">hubspot</span>.<span class="n">com</span> <span class="n">forms</span>.<span class="n">hubspot</span>.<span class="n">com</span> <span class="n">img</span>-<span class="n">src</span> <span class="n">track</span>.<span class="n">hubspot</span>.<span class="n">com</span> <span class="n">forms</span>.<span class="n">hubspot</span>.<span class="n">com</span> <span class="n">frame</span>-<span class="n">src</span> <span class="n">app</span>.<span class="n">hubspot</span>.<span class="n">com</span> </code></pre> </div> <h2> Crisp Chat </h2> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">script</span>-<span class="n">src</span> <span class="n">client</span>.<span class="n">crisp</span>.<span class="n">chat</span> <span class="n">connect</span>-<span class="n">src</span> <span class="n">client</span>.<span class="n">crisp</span>.<span class="n">chat</span> <span class="n">wss</span>://<span class="n">client</span>.<span class="n">relay</span>.<span class="n">crisp</span>.<span class="n">chat</span> <span class="n">img</span>-<span class="n">src</span> <span class="n">client</span>.<span class="n">crisp</span>.<span class="n">chat</span> <span class="n">image</span>.<span class="n">crisp</span>.<span class="n">chat</span> <span class="n">style</span>-<span class="n">src</span> <span class="n">client</span>.<span class="n">crisp</span>.<span class="n">chat</span> <span class="n">font</span>-<span class="n">src</span> <span class="n">client</span>.<span class="n">crisp</span>.<span class="n">chat</span> </code></pre> </div> <h2> Google Fonts </h2> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">style</span>-<span class="n">src</span> <span class="n">fonts</span>.<span class="n">googleapis</span>.<span class="n">com</span> <span class="n">font</span>-<span class="n">src</span> <span class="n">fonts</span>.<span class="n">gstatic</span>.<span class="n">com</span> </code></pre> </div> <h2> reCAPTCHA v3 </h2> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">script</span>-<span class="n">src</span> <span class="n">www</span>.<span class="n">google</span>.<span class="n">com</span> <span class="n">www</span>.<span class="n">gstatic</span>.<span class="n">com</span> <span class="n">frame</span>-<span class="n">src</span> <span class="n">www</span>.<span class="n">google</span>.<span class="n">com</span> </code></pre> </div> <h2> YouTube embeds </h2> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">frame</span>-<span class="n">src</span> <span class="n">www</span>.<span class="n">youtube</span>.<span class="n">com</span> <span class="n">www</span>.<span class="n">youtube</span>-<span class="n">nocookie</span>.<span class="n">com</span> <span class="n">img</span>-<span class="n">src</span> <span class="n">i</span>.<span class="n">ytimg</span>.<span class="n">com</span> <span class="n">img</span>.<span class="n">youtube</span>.<span class="n">com</span> </code></pre> </div> <h2> Google Maps </h2> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">script</span>-<span class="n">src</span> <span class="n">maps</span>.<span class="n">googleapis</span>.<span class="n">com</span> <span class="n">frame</span>-<span class="n">src</span> <span class="n">www</span>.<span class="n">google</span>.<span class="n">com</span> <span class="n">maps</span>.<span class="n">google</span>.<span class="n">com</span> <span class="n">img</span>-<span class="n">src</span> <span class="n">maps</span>.<span class="n">googleapis</span>.<span class="n">com</span> <span class="n">maps</span>.<span class="n">gstatic</span>.<span class="n">com</span> *.<span class="n">ggpht</span>.<span class="n">com</span> <span class="n">connect</span>-<span class="n">src</span> <span class="n">maps</span>.<span class="n">googleapis</span>.<span class="n">com</span> </code></pre> </div> <h2> A realistic SaaS CSP </h2> <p>Here is what a production CSP looks like when you stitch GTM, Stripe, Intercom, Google Fonts, and reCAPTCHA together.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">Content</span>-<span class="n">Security</span>-<span class="n">Policy</span>: <span class="n">default</span>-<span class="n">src</span> <span class="s1">'self'</span>; <span class="n">script</span>-<span class="n">src</span> <span class="s1">'self'</span> <span class="s1">'nonce-{value}'</span> <span class="s1">'strict-dynamic'</span> <span class="n">www</span>.<span class="n">googletagmanager</span>.<span class="n">com</span> <span class="n">www</span>.<span class="n">google</span>.<span class="n">com</span> <span class="n">www</span>.<span class="n">gstatic</span>.<span class="n">com</span> <span class="n">js</span>.<span class="n">stripe</span>.<span class="n">com</span> <span class="n">widget</span>.<span class="n">intercom</span>.<span class="n">io</span> <span class="n">js</span>.<span class="n">intercomcdn</span>.<span class="n">com</span>; <span class="n">style</span>-<span class="n">src</span> <span class="s1">'self'</span> <span class="s1">'nonce-{value}'</span> <span class="n">fonts</span>.<span class="n">googleapis</span>.<span class="n">com</span>; <span class="n">font</span>-<span class="n">src</span> <span class="s1">'self'</span> <span class="n">fonts</span>.<span class="n">gstatic</span>.<span class="n">com</span> <span class="n">js</span>.<span class="n">intercomcdn</span>.<span class="n">com</span>; <span class="n">img</span>-<span class="n">src</span> <span class="s1">'self'</span> <span class="n">data</span>: <span class="n">https</span>: <span class="n">www</span>.<span class="n">googletagmanager</span>.<span class="n">com</span> <span class="n">www</span>.<span class="n">google</span>-<span class="n">analytics</span>.<span class="n">com</span> <span class="n">static</span>.<span class="n">intercomassets</span>.<span class="n">com</span> *.<span class="n">intercomcdn</span>.<span class="n">com</span> *.<span class="n">stripe</span>.<span class="n">com</span>; <span class="n">connect</span>-<span class="n">src</span> <span class="s1">'self'</span> <span class="n">www</span>.<span class="n">google</span>-<span class="n">analytics</span>.<span class="n">com</span> <span class="n">analytics</span>.<span class="n">google</span>.<span class="n">com</span> *.<span class="n">google</span>-<span class="n">analytics</span>.<span class="n">com</span> *.<span class="n">analytics</span>.<span class="n">google</span>.<span class="n">com</span> <span class="n">api</span>.<span class="n">stripe</span>.<span class="n">com</span> *.<span class="n">intercom</span>.<span class="n">io</span> <span class="n">wss</span>://*.<span class="n">intercom</span>.<span class="n">io</span>; <span class="n">frame</span>-<span class="n">src</span> <span class="s1">'self'</span> <span class="n">www</span>.<span class="n">google</span>.<span class="n">com</span> <span class="n">js</span>.<span class="n">stripe</span>.<span class="n">com</span> <span class="n">hooks</span>.<span class="n">stripe</span>.<span class="n">com</span> <span class="n">intercom</span>-<span class="n">sheets</span>.<span class="n">com</span>; <span class="n">media</span>-<span class="n">src</span> <span class="s1">'self'</span> <span class="n">js</span>.<span class="n">intercomcdn</span>.<span class="n">com</span>; <span class="n">report</span>-<span class="n">uri</span> /<span class="n">api</span>/<span class="n">csp</span>-<span class="n">report</span> </code></pre> </div> <p>Long, but every line has a reason. No wildcards on broad domains, no <code>'unsafe-inline'</code> in <code>script-src</code>, and <code>strict-dynamic</code> handles anything GTM or Intercom chain-loads at runtime.</p> <h2> A few rules that keep this sane </h2> <p>Prefer the most specific domain. <code>js.stripe.com</code> beats <code>*.stripe.com</code>, which beats <code>https:</code>. Every level of specificity is one less place an attacker can hide.</p> <p>Do not dump everything into <code>default-src</code>. If Stripe only needs <code>script-src</code> and <code>frame-src</code>, leaving it in <code>default-src</code> silently allows it for images and fonts too.</p> <p>Audit on a schedule. Google has migrated analytics endpoints multiple times. Stripe has added domains for new checkout flows. Your CSP from last year is probably already wrong.</p> <p>Delete services you no longer use. Every allowlisted domain you forgot about is a domain an attacker can abuse if that vendor ever gets compromised.</p> <h2> How to find the domains you missed </h2> <p>Even with a cheat sheet, your site uses something this post does not list. Three ways to find out what.</p> <p><strong>Ship in report-only mode first.</strong> Set <code>Content-Security-Policy-Report-Only</code> with a <code>report-uri</code> or <code>report-to</code> endpoint. The browser sends you a structured violation for every blocked request without breaking production. Walk through the funnel, collect the reports, then tighten the policy. The full walkthrough is in <a href="https://www.sitesecurityscore.com/learning-center/csp-reporting-guide" rel="noopener noreferrer">How CSP Reporting Works</a>.</p> <p><strong>Use DevTools Network tab.</strong> Open the site, reload with the Network tab open, sort by domain. Every external host your page touches is a candidate for your CSP.</p> <p><strong>Scan the site.</strong> <a href="https://www.sitesecurityscore.com/" rel="noopener noreferrer">SiteSecurityScore</a> parses your live CSP, shows which directives are set, and flags gaps for the services it detects on your page.</p> <h2> Free tools that helped me write this </h2> <p>These are all on the main site and free to use, no account needed.</p> <ul> <li> <a href="https://www.sitesecurityscore.com/learning-center/csp-generator-guide" rel="noopener noreferrer">CSP Generator</a> builds a policy from a checklist of services and gives you a working <code>Content-Security-Policy</code> header.</li> <li> <a href="https://www.sitesecurityscore.com/learning-center/csp-reporting-guide" rel="noopener noreferrer">CSP Reporting Guide</a> shows how to stand up a <code>report-uri</code> endpoint and interpret the violation payloads.</li> <li> <a href="https://www.sitesecurityscore.com/learning-center/hsts-generator-guide" rel="noopener noreferrer">HSTS Generator</a> for the other header everyone gets wrong.</li> <li> <a href="https://www.sitesecurityscore.com/learning-center/permissions-policy-generator-guide" rel="noopener noreferrer">Permissions Policy Generator</a> for locking down camera, mic, geolocation, and payment APIs.</li> <li> <a href="https://www.sitesecurityscore.com/learning-center/cors-generator-guide" rel="noopener noreferrer">CORS Generator</a> for the adjacent problem of cross origin requests.</li> <li>The main <a href="https://www.sitesecurityscore.com/" rel="noopener noreferrer">security scanner</a> grades headers, TLS, cookies, CSP coverage, and third party script exposure in one pass.</li> </ul> <h2> TL;DR </h2> <p>Third party scripts break CSP because nobody documents the exact domains their service needs across every directive. Steal the tables above, start in report-only mode, watch your violation reports, and iterate until production is quiet.</p> <p>Full version with nonce setup, <code>strict-dynamic</code> explanation, and a complete FAQ is on the main guide: <a href="https://www.sitesecurityscore.com/learning-center/how-to-add-csp-for-third-party-scripts" rel="noopener noreferrer">CSP for Third Party Scripts on SiteSecurityScore</a>.</p> <p>If your site is already in production and you want a quick read on whether your CSP actually covers the scripts you are loading, <a href="https://www.sitesecurityscore.com/" rel="noopener noreferrer">run it through the scanner</a>. Takes about 10 seconds.</p> security webdev javascript devops